Credit Unions Hacked More Than Banks

One vendor’s research shows FIs should never rest on their laurels, no matter their size or visibility.

Are credit unions the preferred target of hackers — more so than banks? According to a one-year study conducted by IT security services provider SecureWorks (Atlanta), the answer appears to be yes.

Limited as this research might seem, it does suggest some interesting trends. SecureWorks tracked its 600 bank and 500 credit union customers from February 2005 to March 2006 and found that, as a whole, credit unions were attacked 67 percent more than its bank clients. Although its larger bank customers were harassed more as an individual group (968 daily attacks for banks in the $10 billion asset range, and far fewer for smaller banks), credit unions, no matter their size, were definitely the favorite target. SecureWorks blocked an average of 767 attacks per credit union per day.

These results are somewhat surprising to Jon Ramsey, CTO with the company. “Credit unions aren’t very well known when compared to banks,” he says. “You think foreign entities wouldn’t know about them. And a lot of credit unions have the opinion that they have nothing [a cyber criminal] would want. The irony is, that’s the attitude hackers look for.”

Elizabeth Clark, VP of corporate communications with SecureWorks, agrees. “We have customers sitting out in Bismark, N.D., and they ask us how anyone would even know they’re a credit union. Some of them don’t even have the words ‘credit union’ in their names.”

There’s no such thing as anonymity in the Internet Age, comments Ramsey. A simple search with Google, the FDIC or NCUA produces just the results hackers seek. “Hiding is not a very valuable security strategy,” he notes.

Ramsey is quick to point out that credit unions are no less secure than banks. In fact, he believes the financial services industry in general is quite security conscious, but that there’s always room for improvement. “The way you protect yourself today might not be enough for tomorrow,” he relates. “Hacking is an incredibly organized, efficient money-making endeavor.”

Indeed, cyber criminals are constantly engaged in finding new ways to thwart banks’ security systems. Ramsey says the new trend financial institutions need to be aware of is targeted attacks. “[Hackers] will look to a specific application within a particular credit union or bank,” he explains. “They do this because no one knows about these proprietary applications, so you don’t see patches coming from the big vendors. They look for the weakest application.”

Furthermore, companies should never breath a sigh of relief after repairing a vulnerability, Ramsey warns. “If someone gets compromised and they fix it, this still tends to draw a lot of attention to that organization. Hackers figure if they can get in once, they can get in again.”

Ramsey thinks that one problem facing financial institutions today is that some of them still need to get their heads around the concept of security as more than just a vault. “Some financial institutions have trouble speaking the language, so they just follow the regulatory guidance and go find a vendor who offers multi-factor authentication. There’s no one silver bullet,” he says.

Also, look for things to start heating up again with the spread of SQL injection attacks, Ramsey suggests. SQL injection is a type of security exploit in which the attacker adds structured query language (SQL) code to a Web form input box to gain access to resources or make changes to data. With this technique, hackers can determine the structure and location of primary databases and can download the database or compromise the database server. The Secret Service recently issued an advisory about this type of hack, according to Ramsey.

Like many in the industry, Ramsey advocates a layered approach to security for financial institutions. “You need a defense in depth, like a castle,” he explains. “You need the right technology (your weapons), experts who know how to use the weapons, processes for doing all this and good information. Remember, your highest priority isn’t necessarily your core processing system, but it might be a secondary system instead.”